The section on security considerations sheds some light on the problems that we
can't solve within slock but which the user has to solve in his X configuration.
FRIGN on hackers@suckless.org:
What has been bugging me for quite a while is this DPMS comment that was added
there for no reason. Every sane mind would agree that fiddling with DPMS makes
no sense whatsoever. When I slock, my screen turns off after 10 minutes. So, if
I don't like that, I disable DPMS. If I do, I just fiddle around with my mouse a
bit and get the slock promt.
This was extremely bad practice, effectively making the program behave
different depending on which architecture you are running it on.
OpenBSD offers getpwuid_shadow, but there is no getspuid for getspnam,
so we resort to using the pw_name entry in the struct passwd we filled
earlier.
This prevents slock from crashing when $USER is empty (easy to do). If
you want to run slock as a different user, don't use
$ USER="tom" slock
but doas or sudo which were designed for this purpose.
The cleanup removal is a joint-venture with Markus. We assume the X server does
the cleanup, so we don't need it. The idea is that the fds are closed at exit
and thus already indicate to the X server that the client has quit. Analogously
the same applies to freeing memory sections previously allocated for the X
server.
We love XXXXXL burgers and therefore removed
XUngrabPointer
XUngrabKeyboard
XFreeColors
XFreePixmap
XDestroyWindow
Lines of Code.
For a project like slock there is no need to carry around global state. By
moving the three structures to main() it is now clear which functions modify
which state, greatly improving the readability of the code, especially given
slock is a suid program.
Don't hide privilege drops inside readpw() and actually make it
configurable what you are dropping to in config.h.
The privilege drop comes after opening the Display because the
user "nobody" with "nogroup" can't do that.
So why do I call this strategy the Polyphemus-Mitigation?
"""
After the giant returns in the evening and eats two more of the men,
Odysseus offers Polyphemus some strong and undiluted wine given to him
earlier on his journey. Drunk and unwary, the giant asks Odysseus his
name, promising him a guest-gift if he answers. Odysseus tells him
"Οὖτις", which means "nobody" and Polyphemus promises to eat this
"Nobody" last of all. With that, he falls into a drunken sleep. Odysseus
had meanwhile hardened a wooden stake in the fire and now drives it into
Polyphemus' eye. When Polyphemus shouts for help from his fellow giants,
saying that "Nobody" has hurt him, they think Polyphemus is being
afflicted by divine power and recommend prayer as the answer.
"""
(source: https://en.wikipedia.org/wiki/Polyphemus)
We actually “need” to wait a little for input to be released before
locking for cases where slock is spawned from other graphical
applications using keybindings.
This undoes the misbehaviour I introduced in c2f9757, sorry for the mess.
- Use file pointers instead of raw I/O, inspired by Kernel code.
- Use OOM_SCORE_ADJ_MIN from linux/oom.h instead of working with
magic values.
- Stricter error checking and descriptive error messages.
The reasoning for using the constant rather than magic values lies
in the fact that this ensures people get the message.
With "-1000", a code reviewer would question if that is really the
lowest possible number or just an arbitrary value.
The kernel ABI probably won't change, but even in the case, we wouldn't
have to modify the code. The OOM killer only is guaranteed to not
kill you if you have OOM_SCORE_ADJ_MIN.
In all honor, the previous usage was formally more correct, but for the
sake of consistency across all the tools having the v-flag, I separated
it from the command-string.
Also, make use of the mandoc macros for the manpage. This makes it
easier to maintain, extend and change in the future.
We want to know at once if slock failed or not to lock the screen, not
seing a black screen for a whole second (or two) and then die.
Thanks to ^7heo for reporting this.
- Add arg.h and fix usage
Given slock is suid we don't want to have half-measures in place to
parse the arguments in case the code is changed in the future with
somebody not paying enough attention.
Also, fix the usage string output to be more consistent across the
suckless toolbase and make it reflect the manpage entry.
- Comments
Use proper block comments and add/change them where necessary
to help in studying the code.
- Error messages
Consistently prepend them with "slock:" and fix wording and
do a proper cleanup before quitting (XCloseDisplay and free
the locks), making the die() semantics consistent with st's.
- getpwuid() error reporting
Properly present an error message if getpwuid() fails.
- fork() error reporting
Properly present an error message if fork() fails. If we cannot
close the connection within the fork context we abort the
operation and report an error.
- execvp() error handling
If execvp fails, we cannot call die() afterwards as this implies
calling exit(). We must use _exit() to prevent the libc from
doing now "illegal" cleanup-work.
Make sure to explicitly clear memory that is used for password input. memset
is often optimized out by the compiler.
Brought to attention by the OpenBSD community, see:
https://marc.info/?t=146989502600003&r=1&w=2
Thread subject: x11/slock: clear passwords with explicit_bzero
Changes:
- explicit_bzero.c import from libressl-portable.
- Makefile: add COMPATSRC for compatibility src.
- config.mk: add separate *BSD section in config.mk to simply uncomment it on
these platforms.
This reverts most of commit a6dc051e37 and fixes
some related stuff:
- keep spelling fixes from original commit
- make -h and -v also work when followed by more arguments
- any unknown flag prints usage
- fix output of -v to display "slock: version 1.3" instead of "slock: slock-1.3"
There are 2 arguments why -v and -h are broken:
1) if you are running off git, -v will show the last stable
release, effectively making this option useless.
people running stable versions leave open an attack surface
this way in case there are vulnerabilities found.
99% of the people are also using package managers to keep
their software up to date, instead of running $TOOL -v to
check how old it is.
2) -h is a sad excuse for not just looking at the manual page
(man 1 slock). Given we accept a post_lock_command, we can't
be as liberal and just intercept certain flags.
I changed the manpage to reflect this change.
There really is no need to source a defined variable from a linux
header. The OOM-rank ranges from -1000 to 1000, so we can safely
hardcode -1000, which is a sane thing to do given slock is suid and
we don't want to play around too much here anyway.
On another notice, let's not forget that this still is a shitty
heuristic. The OOM-killer still can kill us (thus I also changed
the wording in the error-message. We do not disable the OOM-killer,
we're just hiding.